From 9449f5017a6feff7e70d625d54d75d514ed2e596 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Thu, 3 Oct 2019 20:45:14 +0000 Subject: [PATCH 1/7] Create hide-hardware-info --- usr/lib/security-misc/hide-hardware-info | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 usr/lib/security-misc/hide-hardware-info diff --git a/usr/lib/security-misc/hide-hardware-info b/usr/lib/security-misc/hide-hardware-info new file mode 100644 index 0000000..587fd5d --- /dev/null +++ b/usr/lib/security-misc/hide-hardware-info @@ -0,0 +1,21 @@ +#!/bin/bash + +## sysfs and debugfs expose a lot of information +## that should not be accessible by an unprivileged +## user which includes hardware info, debug info and +## more. This restricts /sys, /proc/cpuinfo, /proc/bus +## and /proc/scsi to the root user only. This hides +## many hardware identifiers from ordinary users +## and increases security. +for i in /proc/cpuinfo /proc/bus /proc/scsi /sys +do + if [ -e "${i}" ]; then + chmod og-rwx "${i}" + else + ## /proc/scsi doesn't exist on Debian so errors + ## are expected here. + if ! [ "${i}" = "/proc/scsi" ]; then + echo "ERROR: ${i} could not be found." + fi + fi +done From ce97e5ed8203809619d8fdf630242712c188cede Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Thu, 3 Oct 2019 20:45:29 +0000 Subject: [PATCH 2/7] Create hide-hardware-info.service --- lib/systemd/system/hide-hardware-info.service | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 lib/systemd/system/hide-hardware-info.service diff --git a/lib/systemd/system/hide-hardware-info.service b/lib/systemd/system/hide-hardware-info.service new file mode 100644 index 0000000..b2efb26 --- /dev/null +++ b/lib/systemd/system/hide-hardware-info.service @@ -0,0 +1,14 @@ +[Unit] +Description=Hide hardware information to unprivileged users +Documentation=https://github.com/Whonix/security-misc +DefaultDependencies=no +Before=sysinit.target +Requires=local-fs.target +After=local-fs.target + +[Service] +Type=oneshot +ExecStart=/usr/lib/security-misc/hide-hardware-info + +[Install] +WantedBy=multi-user.target From ec5fcf813b80347e5d8aa55dbd5d77860e62ccc6 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Thu, 3 Oct 2019 20:50:48 +0000 Subject: [PATCH 3/7] Update control --- debian/control | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/control b/debian/control index b604cb1..461f477 100644 --- a/debian/control +++ b/debian/control @@ -84,6 +84,13 @@ Description: enhances misc security settings * Bluetooth is blacklisted to reduce attack surface. Bluetooth also has a history of security concerns. https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns + . + * A systemd service restricts /proc/cpuinfo, /proc/bus, /proc/scsi and + /sys to the root user only. This hides a lot of hardware identifiers from + unprivileged users and increases security as /sys exposes a lot of information + that shouldn't be accessible to unprivileged users. As this will break many + things, it is disabled by default and can optionally be enabled by running + `systemctl enable hide-hardware-info.service` as root. . Uncommon network protocols are blacklisted: These are rarely used and may have unknown vulnerabilities. From b06ab912c04d3d8746afa7492d0c3bb17bf71932 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Thu, 3 Oct 2019 21:37:29 +0000 Subject: [PATCH 4/7] Add licensing --- lib/systemd/system/hide-hardware-info.service | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/systemd/system/hide-hardware-info.service b/lib/systemd/system/hide-hardware-info.service index b2efb26..0f039f2 100644 --- a/lib/systemd/system/hide-hardware-info.service +++ b/lib/systemd/system/hide-hardware-info.service @@ -1,3 +1,6 @@ +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + [Unit] Description=Hide hardware information to unprivileged users Documentation=https://github.com/Whonix/security-misc From 87917d2f03d5e510f4e2cbdbea2a7692146e820b Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Thu, 3 Oct 2019 21:38:07 +0000 Subject: [PATCH 5/7] Add licensing --- usr/lib/security-misc/hide-hardware-info | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/lib/security-misc/hide-hardware-info b/usr/lib/security-misc/hide-hardware-info index 587fd5d..4a1eec0 100644 --- a/usr/lib/security-misc/hide-hardware-info +++ b/usr/lib/security-misc/hide-hardware-info @@ -1,5 +1,8 @@ #!/bin/bash +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + ## sysfs and debugfs expose a lot of information ## that should not be accessible by an unprivileged ## user which includes hardware info, debug info and From e06eeec6788a46a28682b2c83f1de9f83eacf3bd Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Thu, 3 Oct 2019 21:42:06 +0000 Subject: [PATCH 6/7] Disable hide-hardware-info.service by default --- lib/systemd/system-preset/50-security-misc.preset | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 lib/systemd/system-preset/50-security-misc.preset diff --git a/lib/systemd/system-preset/50-security-misc.preset b/lib/systemd/system-preset/50-security-misc.preset new file mode 100644 index 0000000..945d98a --- /dev/null +++ b/lib/systemd/system-preset/50-security-misc.preset @@ -0,0 +1,4 @@ +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +disable hide-hardware-info.service From 7345287560bc701f8b4aead985238d66104b228c Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Fri, 4 Oct 2019 17:32:52 +0000 Subject: [PATCH 7/7] Use sysinit.target instead --- lib/systemd/system/hide-hardware-info.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/systemd/system/hide-hardware-info.service b/lib/systemd/system/hide-hardware-info.service index 0f039f2..9b0e215 100644 --- a/lib/systemd/system/hide-hardware-info.service +++ b/lib/systemd/system/hide-hardware-info.service @@ -14,4 +14,4 @@ Type=oneshot ExecStart=/usr/lib/security-misc/hide-hardware-info [Install] -WantedBy=multi-user.target +WantedBy=sysinit.target